UCLA Health System Fined $865,000

The U.S. Department of Health and Human Services' Office for Civil Rights has entered into a resolution agreement with the University of California at Los Angeles Health System to settle violations of the Health Insurance Portability and Accountability Act Privacy and Security Rules.

UCLAHS has agreed to pay a fine of $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with the rules.

The investigation began in 2009 after complaints were filed on behalf of two celebrity patients, alleging that employees at UCLAHS repeatedly viewed their electronic protected health information, as well as other patients, without permission.

"From August 31, 2005 to November 16, 2005, workforce members repeatedly and without a permissible reason examined the electronic protected health information of the patients, and again did so between January 31, 2008 to February 2, 2008," according to a statement from HHS.

During the same period of time, UCLAHS failed to provide appropriate training for all members of the workforce, did not apply sanctions and document workers who examined the health records, and neglected to implement security measures "sufficient to reduce the risks of impermissible access to electronic protected health information by unauthorized users to a reasonable and appropriate level," according to the statement.

UCLAHS, in its agreement, will:

Pay HHS the amount of $865,500;

Review, revise and maintain, as necessary, existing policies and procedures and develop written policies and procedures that comply with federal standards that govern the privacy of individually identifiable health information;

Distribute updated policies and procedures (having been reviewed by HHS) to all current and new members of its workforce who have access to protected health information within 30 days of HHS approval; and

Update policies and procedures at least annually and more frequently if appropriate.

"Our patients' health, privacy and well-being are of paramount importance to us," says Dr. David T. Feinberg, CEO of UCLAHS and associate vice chancellor for health sciences, in a prepared statement. "We appreciate the involvement and recommendations made by OCR in this matter and will fully comply with the plan of correction it has formulated."

In 2010, a former surgeon at UCLAHS, Huping Zhou, was sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others. Zhou became the first defendant in the nation to receive a prison sentence for a HIPAA privacy violation, according to the U.S. attorney's office for the central district of California. [See: HIPAA Violation Leads to Prison Term]

HHS enforces Federal standards that govern the privacy of identifiable health information under HIPAA and the Federal standards that govern the security of electronic health information. HHS has the authority to conduct the investigations of complaints alleging violations of HIPAA by covered entities. And those covered entities must cooperate with investigations conducted by HHS.

About the Author

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;